With SCIM (System for Cross-domain Identity Management), it is possible to synchronize users and Microsoft Entra Groups from Microsoft Entra ID (formerly Azure AD) to TeamViewer.
ðNote: This requires a Microsoft Entra Premium license subscription.
It allows administrators to create, update and deactivate users within Microsoft Entra ID and keep their TeamViewer accounts automatically updated within 1h (the current Microsoft Entra update interval).
This article applies to TeamViewer customers with an Enterprise/Tensor license.
To be able to use this feature, you must meet the following requirements:
1.) Open a browser and open TeamViewer (Classic) Management Console
(1) Sign in with your licensed TeamViewer Account
(2) Edit your Profile
2.) Click on Apps (1) and then Create Script Token (2)
3.) Enter a Name for your API Token and select the following options for the Token
4.) Click Create to receive your API Token
5.) After the token gets created, you will see the token in the overview. Expand the token, to view the API Token. Copy the token, you need it later in the Microsoft Entra ID
ð Notes:
1.) Go into your created Enterprise Application and select Provisioning
2.) You will see a new Windows. Please click on Get started.
(1) Select the Provisioning Mode Automatic
(2) Enter the Tenant URL https://webapi.teamviewer.com/scim/v2
(3) Enter for the Secret Token the API Token which you have already created
(4) Click Test Connection
(5) If the Test Connection was successful, you can click Save
3.) Now you can edit the Mappings for your provisioning
First, edit the Provision Microsoft Entra ID Groups
(1) If you want to use the Microsoft Entra ID Groups for the TeamViewer User Groups, please enable it
(2) Activate all Options for Target Object Actions
(3) Make sure you have set only the Microsoft Entra ID Attribute as displayed on the Screenshot. Delete all other entries, if you see them
(4) Click Save
4.) In the next step edit the Provision Microsoft Entra ID Users
(1) Please check if the User Sync is enabled
(2) Remove the "Delete" Option, because the SCIM API can't delete Users in the TeamViewer (Classic) Management Console
(3) Make sure you have set only the "Azure Active Directory Attribute" as displayed on the Screenshot. Delete all other entries, if you see them
5.) Activate the Option Show advanced options and click after Edit attribute list for customappsso
6.) In the Attribute List create a new String
7.) Enter the Value urn:ietf:params:scim:schemas:extension:teamviewer:1.0:SsoUser:ssoCustomerId
8.) Click Save and confirm the Changes with Yes
9.) Back in the Azure Active Directory Attribute, edit the Attribute preferredLanguage
10.) When you edit the Attribute preferredLanguage
(1) Change Apply this mapping from Always
(2) to Only during object creation
(3) Confirm the Change with OK
11.) Again in the Azure Active Directory Attribute
(1) Click Add New Mapping
(1) Change the Mapping type to Constant
(2) Enter for Constant Value the Custom Identifier which you already use from the Single Sign-On for Microsoft Entra ID
ð Note: If you don't use the same Custom Identifier, the User Sync won't work correctly
(3) Select for the Target attribute the previously created custom attribute urn:ietf:params:scim:schemas:extension:teamviewer:1.0:SsoUser:ssoCustomerId
(4) Change Apply this mapping from Always to Only during object creation
(5) Confirm the Change with OK
(1) In the Navigation Bar click on Provisioning
(2) Switch the Provisioning Status from Off to On
(1) Click in the Application on Users and groups
(2) Click Add user/group
ð Note: You have to assign an Microsoft Entra ID Group if you want to use the selected Microsoft Entra ID Group for the TeamViewer User Groups